The Toronto-area dental office didn’t know it but the security camera in its waiting room was being streamed live on the Internet.
Anyone could log on to the website and watch as patients came and went. Front-desk staff answering phones and working on their computers entering patient information.
It could be a serious breach of patient privacy. But it’s more than that – unsecured cameras also leave the entire network open for virtual intruders.
The video was being broadcast on Insecam.org, a website originating from Russia. The site picked it up and streamed it along with hundreds of other security cameras that still have factory-default passwords or are left with minimal security.
“Everyone was surprised and we were kind of concerned,” said an administrative assistant at the dental office whose name Global News is withholding for security reasons. “We have a lot private information here.”
In homes, workplaces and other private spaces across the country there is a security risk hanging over the heads of many Canadians – wireless surveillance cameras left unsecured.
Cameras across the country show people gathering for prayers at a church in northern Ontario, homes where street addresses are visible, or the inside of businesses in Ontario, B.C. and Nova Scotia.
When Global News alerted the GTA clinic that their camera was being broadcast for thousands to see, they secured their cameras and the feed was taken down.
The manager of the dental office said they installed new security cameras in October after break-ins at the clinic, but forgot to change the default password.
“When you sent them the picture, actually you scared [the office staff], honestly,” the manager said, adding the office only has a camera in the front where the public has access and does not have cameras in private areas like offices or rooms where patients are being treated.
“I’m the kind of person who’s trying to be on top of things, very careful,” he said. “That’s why my first reaction is that I contacted my IT guy to see, ‘How could that happen?'”
The rise of the Internet of Things
Security and privacy experts say the increased use of wireless security cameras is part of the rising trend of internet-connected home devices, known as the Internet of Things, or IoT. It can include everything from baby monitors to so-called smart TVs and even home appliances like fridges.
But the explosion of IoT, including wireless surveillance, is providing new security threats and vulnerabilities that cyber criminals can exploit, says Daniel Tobok a cyber-intelligence expert based in Toronto.
“What a lot of people seem to miss is the fact that, if there is an open and vulnerable camera system, you’re just one or two hops away from entering infrastructure within that particular [company],” said Tobok.
Forgetting to change the default password on a camera or selecting a simple password create security risks as the camera can be a potential entry point to computer servers, Tobok said.
“The danger is not that they can see inside, and who is drinking an extra cup of coffee,” he said. “It actually comes down to the fact that they can use that to get into [digital] infrastructure.”
Tobok, who is chief executive officer of Cytelligence Inc., said his company is often hired to explore flaws in the digital security networks of large corporations.
“When somebody can penetrate that particular server, they can jump into other infrastructure parts. Again, that can be the router, and they can open up other ports for them to come in with a bigger attack,” he said. “They can reconfigure things like the firewall. They can jump on the Wi-Fi. There’s a lot of things that they can do.”
LISTEN: Cyber security expert Dave Shipley weighs in on 640 Toronto
The number of consumer-owned connected devices in Canada is growing rapidly. Research from IDC Canada, a global market intelligence firm, found IoT devices in Canadian homes is expected to grow 60 per cent between now and 2021.
“When you’re talking about increasing devices, you are talking about the number of known vulnerable nodes in the house,” IDC Canada market analyst Manish Nargas told Global News. “It is a concern that both consumers and companies need to be aware of.”
“Having real time video in your house is something that not everyone can afford or even think about doing earlier,” he said. “From the consumer’s perspective you really don’t hear a lot until something major happens like a major brand has a [privacy breach].”
The IDC report also indicated homes installing web connected security and monitoring devices will grow by 47 per cent between 2017 to 2021.
Many of the wireless cameras in Canada currently being livestreamed online are being done so without the owner’s knowledge.
In addition to the Ontario dental clinic, an unsecured camera at an Ontario daycare, as Global News reported in May, shows roughly a dozen small children being supervised by three adults in a classroom.
Another shows a home in Ontario with a clearly visible address. It’s being broadcast online, providing approximate geographical locations for the cameras.
Former Ontario Privacy commissioner Ann Cavoukian said broadcasting personal information, like a home address or a person’s identity, pose a security and privacy risk and the cameras could be accessed by nefarious third parties.
Cavoukian said facilities like a daycare or medical clinics have a responsibility to protect people’s privacy.
“You would be surprised how sensitive some information can be,” said Cavoukian, who now heads the Privacy by Design Centre of Excellence at Ryerson University. “[Patients] may not want to be known that they are there. It’s very sensitive information what they are doing at a particular kind of medical clinic.”
“Beware of all things connected, in terms of smart devices or Internet of Things. They have extremely weak privacy and security measures attached to them.”
She also said companies that manufacture these devices should bear greater responsibility for security.
“Don’t make the default that if the customer doesn’t actually take the time to change [the password] then that means, actually, all this video footage is accessible,” she said. “Make the default the opposite, that the moment you buy a camera no one can access it.”
In 2015, Toronto police investigated an incident involving webcam hacking after someone sent a 27-year-old Toronto woman intimate photos of herself and her boyfriend watching Netflix taken via her webcam. A separate incident in southwestern Ontario that same year involved a family who had a terrifying ordeal when the camera monitoring their young child suddenly began playing music and a voice said they were being watched.
Global News contacted Defeway, Axis, Vivotek- the companies whose products are most commonly listed as cameras being broadcast online. And at least one is taking steps to make things more secure.
In an email, a spokesperson for Vivotek said the company has updated its camera to require the user to enter a secure password.
“Our latest firmware released forces the customer to input unique login credentials, that follow the Security Hardening Guide,” the spokesperson said.
A spokesperson for Axis says it has a guide to help customers apply appropriate security controls and does not recommend customers to “expose cameras to Internet. ”
“Exposing devices is the main reason why so many IoT devices gets compromised,” Bjorn Hallerborn said in an email. “When exposed devices is combined with default or weak passwords it increases the risks.”
“Axis continuously review, audit and adjust protection based on identified threats and risks. This includes the default protection configuration.”
Defeway did not respond to a request for comment.
Digital experts offer information on what you need to know when buying a wireless surveillance system or web-connected device.
For Tobok, he sees the danger of careless digital security and what can happen. He warns Canadians to be proactive rather than reactive.
“We have seen a trend where bad guys are actually leveraging vulnerabilities in cameras to hold people ransom, businesses, and consumers,” he said. “Where they say, ‘Hey, I have this video of you. Pay me X amount of dollars and I’ll go away.’ When they say no, they publish it.”
© 2017 Global News, a division of Corus Entertainment Inc.